🧠

Mastering Memory Forensics with Volatility

Sep 16, 2024

Memory Forensics with Volatility

Introduction

  • Welcome to Blue Team training series sponsored by Linode and Hackersploit.
  • Focus: Performing memory forensics with Volatility, especially analyzing memory dumps.
  • Previous video covered dumping volatile memory (RAM) from an infected Linux system.

Objectives of the Video

  • Introduction to Volatility.
  • Installing Volatility.
  • Analyzing memory dumps using Volatility.

Prerequisites

  • Basic familiarity with digital forensics.
  • Understanding of Linux and command line utilities.
  • Basic knowledge of the Linux kernel.
  • Note: Not covering the process of dumping Windows memory in this video.

What is Volatility?

  • Open source memory forensics framework for incident response and malware analysis.
  • Written in Python, supports Windows, macOS, and Linux.
  • Used to analyze memory dumps to extract important information (running processes, files, user info, hashes, etc.).
  • Useful for identifying attack occurrences and intrusion details.
  • Two versions: Volatility 2 (Python 2) and Volatility 3 (Python 3), focusing on Volatility 2 for this demonstration due to its plugins.

Resources

  • Volatility GitHub Repository.
  • Intentionally created memory labs structured in a CTF format to find flags within memory dumps.
  • Ubuntu 18.04 server for analysis since it contains the Volatility package in its repositories.

Overview of Volatility

  • Framework for extracting digital artifacts from RAM.
  • Supports: Windows XP to Windows Server 2016, 32-bit and 64-bit Linux kernels, and macOS memory dumps.
  • Does not provide capabilities for memory sample acquisition (free and commercial solutions available).

Using Volatility

  • Command to get information about address spaces and profiles.
  • Plugins allow extraction of information from memory dumps (e.g., process command line arguments, command history).

Practical Demonstration Steps

  1. Install Volatility: sudo apt-get update and sudo apt-get install volatility.
  2. Transfer Memory Dump: Use SCP to copy the memory dump from local to the server.
  3. Extract Memory Dump: Using p7zip to decompress the downloaded file.
  4. Open Volatility: Run volatility command to access help menu and commands.
    • Use image info to identify the appropriate profile for the memory dump.
  5. KDBG Scan: Check kernel debugging structures for information about running processes.
  6. Extract Running Processes: Use pslist and pstree to list processes and identify hidden processes.
  7. Investigate Specific Processes: Check command line arguments of processes like WinRAR and MS Paint.
  8. Extract Command History: Use consoles plugin to view command history of cmd.exe.
  9. Find Flags: Base64 decode any flags found in command history.
  10. Dump Files: Use dump files to extract files from memory; evaluate registry and environment variables.

Conclusion

  • Demonstrated how to utilize Volatility for memory forensics.
  • Found flags and extracted significant data.
  • Encouragement to explore more plugins and features.
  • Next video will cover disk analysis with Autopsy.

Full transcript